This basically means that if you are logged in to the exchange, any random site you visit can log you out, cancel your orders, possibly create new orders (haven't checked this one yet), or withdraw your money to the attacker's address (I have successfully done this with my own account).

Not to mention that in the process of testing it my 0.5 BTE magically turned into 0.005 BTE. I made one order to sell 0.5 BTE at a price of 0.1 (BTC per BTE I presume, but I can't be sure since are no units given for the price, amount or total). When I cancelled it, I only got 0.05 BTE back. I did a similar thing again and it further reduced my balance to 0.005 BTE.

This basically means that if you are logged in to the exchange, any random site you visit can log you out, cancel your orders, possibly create new orders (haven't checked this one yet), or withdraw your money to the attacker's address (I have successfully done this with my own account).

Not to mention that in the process of testing it my 0.5 BTE magically turned into 0.005 BTE. I made one order to sell 0.5 BTE at a price of 0.1 (BTC per BTE I presume, but I can't be sure since are no units given for the price, amount or total). When I cancelled it, I only got 0.05 BTE back. I did a similar thing again and it further reduced my balance to 0.005 BTE.

So I'd definitely recommend avoiding this site for now/ever.

Best way to fix csrf is to use POST more(with some hidden randomly generated tokens) for most stuff, and less GET requests with dynamic data.

This basically means that if you are logged in to the exchange, any random site you visit can log you out, cancel your orders, possibly create new orders (haven't checked this one yet), or withdraw your money to the attacker's address (I have successfully done this with my own account).

Not to mention that in the process of testing it my 0.5 BTE magically turned into 0.005 BTE. I made one order to sell 0.5 BTE at a price of 0.1 (BTC per BTE I presume, but I can't be sure since are no units given for the price, amount or total). When I cancelled it, I only got 0.05 BTE back. I did a similar thing again and it further reduced my balance to 0.005 BTE.

So I'd definitely recommend avoiding this site for now/ever.

Wow you're a real jerk considering they asked for help pointing out security vulnerabilities and you go all ape-shit on them with your enormous red font.

DO NOT USE THIS SITE YETIt is vulnerable to cross-site request forgery.

This basically means that if you are logged in to the exchange, any random site you visit can log you out, cancel your orders, possibly create new orders (haven't checked this one yet), or withdraw your money to the attacker's address (I have successfully done this with my own account).

I have an easy solution for the exchange to fix the biggest problem there.

DO NOT USE THIS SITE YETIt is vulnerable to cross-site request forgery.

This basically means that if you are logged in to the exchange, any random site you visit can log you out, cancel your orders, possibly create new orders (haven't checked this one yet), or withdraw your money to the attacker's address (I have successfully done this with my own account).

I have an easy solution for the exchange to fix the biggest problem there.

Simply allow users to lock their payment address.

The correct solution is to protect against all CSRF attacks.

I also recommend avoiding this site completely until this critical issue is fixed. Any site you visit in the same browser could steal your entire balance with absolutely zero interaction from you.EDIT: FIXED

Funny, the first thing I thought of after seeing this site was "it is probably vulnerable to CSRF".